How to monitor TAS NATS traffic with NATS CLI
Article ID: 298349
Updated On:
Products
Issue/Introduction
- router-emitter to register/unregister routes on Gorouter
- metrics-discovery-registrar to transfer scrape_targets
Environment
Resolution
This article describe steps how to monitor TAS NATS traffic with NATS CLI.
Download NATS CLI if needed. Please check the github release and download any other version or for other platform, this example download v0.2.4 for Linux amd64 platform.
wget https://github.com/nats-io/natscli/releases/download/v0.2.4/nats-0.2.4-linux-amd64.zip
For NATS with TLS enabled
1. Unzip above zip file, put the nats binary at any jumpbox which can access TAS NATS VM at port 4224. Add the binary directory to $PATH and set it as executable(chmod +x nats).
2. Make sure the NATS instance internal FQDN nats.service.cf.internal can be resolved correctly to NATS VM IP on the jumpbox. Add the entry to local /etc/hosts file if necessary. For example,
$ grep nats.service.cf.internal /etc/hosts
#.#.#.# nats.service.cf.internal
3. Find the NATS credential at either location
- Gorouter VM
- /var/vcap/jobs/gorouter/config/gorouter.yml
- Retrieve the values of configuration parameter ca_certs/cert_chain/private_key from nats section in the config file and save them to a file respectively on the jumpbox. For example, nats-ca.pem/nats-cert.pem/nats-key.pem. Change file permission with command "chmod 400 <file name>".
- NATS VM
- /var/vcap/jobs/nats-tls/config/nats-tls.conf
- Retrieve the values of configuration parameter ca_file/cert_file/key_file from tls section in the config file and copy those files onto jumpbox. Change file permission with command "chmod 400 <file name>".
4. Subscribe for receiving route registrar/unregistrar messages
$ nats --server="nats.service.cf.internal:4224" --user=nats --password="####" --tlsca=nats-ca.pem --tlscert=nats-cert.pem --tlskey=nats-key.pem sub "router.>"
#:#:# Subscribing on > [#1] Received on "router.register" {"uris":["api.system.<DOMAIN>/networking"],"host":"##.##.##.##","tls_port":4002,"tags":{"component":"NetworkPolicyServer"},"private_instance_id":"01c9819f-##-##-##-db10d98fa373","server_cert_domain_san":"network-policy-server.service.cf.internal"} [#2] Received on "router.register" {"uris":["scs-mirror-service.system.<DOMAIN>"],"host":"##.##.##.##","port":50505,"tags":{"component":"scs-mirror-service"},"private_instance_id":"e3294321-##-##-##-4687ffecfa89"} [#3] Received on "router.register" {"host":"##.##.##.##","port":61016,"tls_port":61021,"uris":["myapp.apps.<DOMAIN>"],"app":"74066def-##-##-##-b47a08f297dc","private_instance_id":"34f5baef-##-##-##-9fb9","private_instance_index":"0","server_cert_domain_san":"34f5baef-##-##-##-9fb9","tags":{"app_id":"74066def-##-##-##-b47a08f297dc","app_name":"myapp","component":"route-emitter","instance_id":"0","organization_id":"abf39819-##-##-##-41c59f0c4947","organization_name":"system","process_id":"74066def-##-##-##-b47a08f297dc","process_instance_id":"34f5baef-##-##-##-9fb9","process_type":"web","source_id":"74066def-##-##-##-b47a08f297dc","space_id":"0938cc81-##-##-##-0fb541a39f27","space_name":"my-space"}} ...
5. If you would like to capture all traffic over NATS other than router messages only, please change the subscription string to '>'.
$ nats --server="nats.service.cf.internal:4224" --user=nats --password="####" --tlsca=/tmp/nats-ca.pem --tlscert=/tmp/nats-cert.pem --tlskey=/tmp/nats-key.pem sub ">"
#:#:# Subscribing on >
If you put the nats CLI binary onto a NATS server instance, run the following command as root instead.
# nats --server="nats.service.cf.internal:4224" --user=nats --password="####" --tlsca=/var/vcap/jobs/nats-tls/config/external_tls/ca.pem --tlscert=/var/vcap/jobs/nats-tls/config/external_tls/certificate.pem --tlskey=/var/vcap/jobs/nats-tls/config/external_tls/private_key.pem sub "router.>"
For NATS without TLS enabled
1. Unzip above zip file, put the nats binary at any jumpbox which can access TAS NATS VM at port 4222. Add the binary directory to $PATH and set it as executable(chmod +x nats).
2. Find the NATS credential at either location
- on Gorouter VM: /var/vcap/jobs/gorouter/config/gorouter.yml
- on NATS VM: /var/vcap/jobs/nats/config/nats.conf
3. Subscribe for receiving route registrar/unregistrar messages
$ nats --server="NATS_VM_IP:4222" --user=nats --password="####" sub "router.>"
#:#:# Subscribing on > [#1] Received on "router.register" {"uris":["api.system.<DOMAIN>/networking"],"host":"##.##.##.##","tls_port":4002,"tags":{"component":"NetworkPolicyServer"},"private_instance_id":"01c9819f-##-##-##-db10d98fa373","server_cert_domain_san":"network-policy-server.service.cf.internal"} [#2] Received on "router.register" {"uris":["scs-mirror-service.system.<DOMAIN>"],"host":"##.##.##.##","port":50505,"tags":{"component":"scs-mirror-service"},"private_instance_id":"e3294321-##-##-##-4687ffecfa89"} [#3] Received on "router.register" {"host":"##.##.##.##","port":61016,"tls_port":61021,"uris":["myapp.apps.<DOMAIN>"],"app":"74066def-##-##-##-b47a08f297dc","private_instance_id":"34f5baef-##-##-##-9fb9","private_instance_index":"0","server_cert_domain_san":"34f5baef-##-##-##-9fb9","tags":{"app_id":"74066def-##-##-##-b47a08f297dc","app_name":"myapp","component":"route-emitter","instance_id":"0","organization_id":"abf39819-##-##-##-41c59f0c4947","organization_name":"system","process_id":"74066def-##-##-##-b47a08f297dc","process_instance_id":"34f5baef-##-##-##-9fb9","process_type":"web","source_id":"74066def-##-##-##-b47a08f297dc","space_id":"0938cc81-##-##-##-0fb541a39f27","space_name":"my-space"}} ...
4. If you would like to capture all traffic over NATS other than router messages only, please change the subscription string to '>'.
$ nats --server="NATS_VM_IP:4222" --user=nats --password="####" sub ">"
#:#:# Subscribing on >
If it's not allowed to use NATS CLI in the environment, please refer another KB https://knowledge.broadcom.com/external/article/297651/how-to-monitor-nats-traffic-on-the-gorou.html for capture NATS traffic with tcpdump.
Feedback
